I am using this script to populate DynamoDB: https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/LoadDataPHP.html
I'm getting this error using the AWS SDK:
PHP Fatal error: Uncaught exception 'Aws\Exception\CredentialsException' with message 'Cannot read credentials from /root/.aws/credentials' in /var/www/vendor/aws/aws-sdk-php/src/Credentials/CredentialProvider.php:263
According to https://docs.aws.amazon.com/aws-sdk-php/v2/guide/credentials.html
If you do not explicitly provide credentials to the client object and no environment variable credentials are available, the SDK attempts to retrieve instance profile credentials from an Amazon EC2 instance metadata server. These credentials are available only when running on Amazon EC2 instances that have been configured with an IAM role.
I have an IAM role attached to my instance with full power user access. I have confirmed the role is working fine via the AWS CLI, which can access DynamoDB without any credential configuration.
Any suggestions as to what I could be doing wrong? I am under the impression (and interpret that credentials document to say) that I don't need to configure any credentials, hence the use of the IAM role.
To view role-last-used information in the IAM Console, select Roles in the IAM navigation pane, then look for the Last activity column (see Figure 1 below). This displays the number of days that have passed since each role made an AWS service request. AWS records last-used information for the trailing 400 days.
EC2 instances should use IAM roles and instance profiles instead of IAM access keys to perform requests. By passing role information to an EC2 instance at launch, you can limit the risk of access key exposure and help prevent a malicious user from compromising the instance.
php use Aws\S3\S3Client; use Aws\Common\Credentials\Credentials; $credentials = new Credentials('YOUR_ACCESS_KEY', 'YOUR_SECRET_KEY'); // Instantiate the S3 client with your AWS credentials $s3Client = S3Client::factory(array( 'credentials' => $credentials ));
I just wanted to expand a bit on this for anyone else that may end up in this situation.
Then don't use the profile line when creating a client. If you do specify profile in your client it tells the SDK to override any form of credentials you set in the client with a profile from the credentials ini file.
Mentioned (but buried a bit) in the PHP SDK V3 documentation here: https://docs.aws.amazon.com/aws-sdk-php/v3/guide/guide/configuration.html#profile
$client = new SqsClient([
'profile' => 'default', // <--- Don't use this line if you're using IAM Roles for credentials
'region' => 'us-west-2',
'version' => '2012-11-05'
]);
The PHP SDK documentation recommends using IAM roles above all other credentials for EC2 instances. That's fine and makes total sense. The misleading part to new comers is for example this scenario;
The problem here is that all of the code examples (with the exception of the S3 examples) contain the profile setting that breaks the IAM role credential method.
The code examples should at least have a reference to what profile does.
This line in the code:
'profile' => 'default',
is what was causing my issue. If you are using an IAM role you do not require the profile line, and removing it will fix the "Cannot read credentials" error.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With